-
Notifications
You must be signed in to change notification settings - Fork 14.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the timeroast module #19748
Add the timeroast module #19748
Conversation
4de5ae8
to
b98a433
Compare
errors['DELAY'] = 'DELAY can not be negative.' if datastore['DELAY'].to_i < 0 | ||
errors['TIMEOUT'] = 'TIMEOUT can not be negative.' if datastore['TIMEOUT'].to_i < 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might make sense to add an OptPositiveInt
datatore option at some point I think
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea but IMHO, it'd be better implemented with minimum
and maximum
arguments to OptInt
that would be used in the #valid?
method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It also works. My main concern was to avoid modules implementing the same boilerplate as you did :)
b98a433
to
56152fd
Compare
|
Co-authored-by: Brendan <[email protected]>
|
Release NotesAdds a module for timeroasting, a technique where the RID of a computer account is used in a crafted NTP frame that when received by a Domain Controller will prompt the DC to respond with a NTP frame containing a cryptographic hash. |
This adds a module for timeroasting. Timeroasting is a technique where the RID of a computer account is used in a crafted NTP frame that when received by a Domain Controller will prompt the DC to respond with a NTP frame containing a cryptographic hash. This cryptographic hash is
md5( NT_Hash + Response[:48])
whereNT_Hash
is the NT hash of the machine account (md4(password.encode('UTF-16LE'))
) whose RID was targeted. The NTP response can then be crashed offline by john the ripper or hashcat to obtain the plaintext value of the machine account.Closes #19686
Timeroast Quick Check
The following script can be used to validate a single password against a hash in lieu of compiling and messing with the options of john the ripper. It also demonstrates in more detail how the password is calculated.
Example usage:
New OptIntRange Datastore Option
This adds a new OptIntRange datastore option that can be used to specify a mixture of natural numbers (e.g.
1234
) and natural number ranges (e.g.12-34
). Multiple members can be specified using a comma separator. Due to the-
character being used for ranges, it is not possible to specify negative numbers. This should be useful in the future for things like port ranges. In the case of things like ports, a maximum value can be specified with themaximum
keyword. A port range would simply set this to0xffff
. In this case, the Microsoft docs note that the max RID depends on the version of the domain, so there isn't a maximum in use.In BNF notation, the syntax is as follows:
Tests have been included for this new option type.
Verification
auxiliary/admin/dcerpc/samr_account
module to create a new computer account with theADD_COMPUTER
actionauxiliary/scanner/ntp/timeroast
moduleRHOSTS
option to the target domain controllerRIDS
option to the RID of the new accountcreds
command if adatabase is connected
Demo